AN1518: Analytic 1518
Access to user private key directories (e.g., /Users/*/.ssh) via Terminal, scripting engines, or non-default processes.
Analyst context for executives and security teams
This analytic is about watching for access to macOS user private key directories, such as /Users/*/.ssh, by Terminal, scripting engines, or other non-default processes. For leaders, the business issue is identity risk: private keys can be used to authenticate to systems and services, so visibility into unusual access helps determine whether an incident may involve credential exposure and follow-on access risk.
Executive priority
Prioritize this as an identity and incident-readiness control for macOS environments that store SSH or similar private keys locally. Executives should ask whether the organization can prove which processes access user key directories, whether SOC teams can distinguish normal administrator or developer activity from unusual access, and whether incident responders have a playbook for possible private key exposure and rotation.
Technical view
Validate macOS telemetry for file or directory access to user private key paths, especially /Users/*/.ssh, and correlate the accessing process with expected tools. The supplied analytic highlights Terminal, scripting engines, and non-default processes as relevant process categories. Because no official detection logic or ATT&CK tactic is supplied, teams should treat this as a coverage-validation requirement rather than a complete rule: confirm process name/path, parent process, user account, command context where available, and whether access aligns with expected administrative, developer, or automation workflows.
Likely telemetry
- macOS file access events for /Users/*/.ssh or equivalent user private key directories
- Process execution telemetry for Terminal, scripting engines, and non-default processes
- Process lineage including parent and child process context
- User account context associated with private key directory access
- Endpoint security or audit logs that can show file-read or directory-enumeration activity
Detection direction
- Build or validate detections for unusual process access to user private key directories on macOS.
- Baseline expected access by developers, administrators, backup tools, endpoint agents, and automation to reduce false positives.
- Prioritize alerts where a scripting engine or uncommon process accesses private key paths unexpectedly.
- Correlate file access with process lineage and user context before escalating, since legitimate Terminal-based SSH administration may access these paths.
- Document blind spots where endpoint telemetry records process execution but not file access to private key directories.
Mitigation priorities
- Limit local storage of private keys where operationally feasible and enforce least-privilege access to user key material.
- Ensure private key exposure response procedures include investigation, revocation or rotation decisions, and validation of downstream access.
- Harden macOS endpoint monitoring so SOC and IR teams can reconstruct which process and user accessed sensitive key directories.
- Review administrative and developer workflows to identify legitimate access patterns that should be allowed but monitored.
- Use this analytic as audit evidence for monitoring sensitive credential material only after confirming telemetry collection and alert handling are in place.
Analyst notes and limits
The ATT&CK object is a detection analytic for macOS focused on access to user private key directories via Terminal, scripting engines, or non-default processes. No tactics, official detection logic, relationships, or procedure examples were supplied, so the take emphasizes defensive validation and operational questions rather than asserting adversary behavior or coverage.
The source provides a concise description but no formal detection query, tactic mapping, related technique, data source list, or relationships. Local environment baselines are required to determine what process access is normal and what should be treated as suspicious.
Analytic 1518
Access to user private key directories (e.g., /Users/*/.ssh) via Terminal, scripting engines, or non-default processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 86a6200ff51b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1518Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.